Thanks Fang, But how can you make a security patches as pre-approved changes. These patches require server reboot and any change with outage can not be made as standard change.

Actually I was in the view that if we include the patched in change management process, then we will require extra hands to manage the patch requests..What do you say.. Is there any way we can mange these without extra hands..

ITIL is a set of guidelines and best practice, not a rule book. We allow our version of standard changes (called Routine Pre-Approved changes) to have a small impact on users.

We define our Routine Pre-Approved changes as changes that are regularly carried out, are low risk and have little impact on supported users. When a change is required that is known to have a visible impact on supported users it will go through Normal CAB approval process.

Routine Pre-Approved changes have the following characteristics:
• They follow an established, well proven path
• Have a defined trigger that initiates the change request for a pre-Approved change
• There is an approved set of procedures that must be followed for the change to be deemed approved
• They are relatively common
• They are the accepted solution to a specific requirement or set of requirements

So there is a clearly defined subset of pre-approved changes, which are performed by our Security group only. Server re-boots are very short, and unless there in an on-going security issue that needs patching/sorting NOW (in which case it’s an Emergency change) then the patches are put on when the re-boot shouldn’t affect too many users.

I am a Change Management team of one – so there are no extra hands. The Security staff are responsible for the security patches, once the procedure to do them has been scrutinised and approved by CAB.